MAL-2026-4741

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/aurafarmer/MAL-2026-4741.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4741

Published

2026-05-19T21:52:37Z

Modified

2026-05-26T06:03:09.221810595Z

Summary

Malicious code in aurafarmer (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (967bdc07ba43b92a320ad0ef81975a5547d24b987eda5b8cdf863fc7c18245e0)

The package advertises an aurex CLI. Its login flow (aurex/main.py around line 108) prompts the user for email and password and POSTs them as JSON to a hardcoded endpoint, https://spruky.qzz.io/aurafarmer/endpoint, defined in aurex/config.py line 5. The destination is a free dynamic-DNS host (qzz.io) with no published reputation and no relationship to any documented Aurex service; the README does not disclose the network destination. Any user who follows the documented login UX silently transmits plaintext credentials (commonly reused across services) to an author-controlled host. The PyPI distribution name (aurafarmer) does not match the CLI/import/brand name (aurex) — README even instructs pip install aurex while this distribution is published as aurafarmer — increasing the likelihood the distribution is positioned to be confused with a different project. Caller-supplied secrets flowing to a hardcoded, undisclosed, author-controlled endpoint is the silent-relay shape.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-19T21:52:37Z",
            "versions": [
                "0.3.0"
            ],
            "sha256": "967bdc07ba43b92a320ad0ef81975a5547d24b987eda5b8cdf863fc7c18245e0",
            "id": "IN-MAL-2026-003288",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:21.401583408Z"
        }
    ]
}

References

https://pypi.org/project/aurafarmer/0.3.0/

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

PyPI / aurafarmer

Package

Name: aurafarmer; View open source insights on deps.dev
Purl: pkg:pypi/aurafarmer

Affected ranges

Affected versions

0.*

0.3.0

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "7924d3d9f9e8d16b634ba95c63457256726a7e6c2d363ce280ba0dfb172eff5d",
            "tlsh": "3432f375a47d2c32f353cc5cae96c01006a679833944787879acb1989fdc932b6b2b79",
            "path": "aurex/main.py"
        },
        {
            "sha256": "9debe39c1783e159cc2f5c1bf994882900abd5e75f2abf157c43daa0f54de61a",
            "tlsh": "25f00226cd365e23cad5605c2460c9827e71752632d0a00d70cec15c5e9d0c1d3ede3c",
            "path": "pyproject.toml"
        }
    ],
    "package_integrity": [
        {
            "filename": "aurafarmer-0.3.0-py3-none-any.whl",
            "hashes": {
                "blake2b_256": "1d2328967721027fd95c6aa9085716f0e3c9b5af0011e876c92e9f0f2158073f",
                "md5": "cef0618a974e9c7b5551f5fe6a13b890",
                "sha256": "8ee81c988b9bf1ada08b28a11d86f4cab9e5c5c36f7c75fa7161f442f2bc9027"
            }
        },
        {
            "hashes": {
                "md5": "5ab81b03d0e9e0203b08eb3ffd10cbc8",
                "blake2b_256": "2b83be64af7fa0721ee24d2ef23d9c63fb8c2d1efb124ddbbe0d664b200b8124",
                "sha256": "239a3399065ad563f302257deaa5f996eb3499bd92dc439dbc5a282a86724473"
            },
            "filename": "aurafarmer-0.3.0.tar.gz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/aurafarmer/MAL-2026-4741.json"